November sees a mix of remote code execution and elevation of privilege vulnerabilities enabling an attacker to gain the same rights as the user when the victim opens specially crafted content, such as a webpage, journal file or document containing embedded fonts. These vulnerabilities affect Internet Explorer (7 and onwards), Edge, and Windows (Vista and onwards).  It is advisable for users and administrators to patch the affected platforms.

Microsoft includes 12 security bulletins, a third of them rated as critical, resolving a total of 49 vulnerabilities. All of the critical bulletins (MS15-112, MS15-113, MS15-114, MS15-115) are remote code execution issues affecting affecting a variety of products and platforms including Edge, Internet Explorer, Lync, Office, Office for Mac, Office Web Apps, Skype for Business, SharePoint Server and all supported releases of Microsoft Windows.

MS15-112 is the bulletin to watch out for this month, it addresses 25 vulnerabilities. It is rated Critical for Internet Explorer 7 - 11 on Windows clients and moderate on Windows servers. Microsoft's update addresses the vulnerabilities by resolving underlaying issues with how objects are handled in memory for JScript and VBScript, properly re-implemeting the ASLR security feature and adding additional permissions to Internet Explorer.

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code and gain the same rights as the user. Your best protection against these threats is to patch as quickly as possible.

Resolved Vulnerability Reference: